My personal space on the web. Mostly about FOSS and technological autonomy.

cross-posted from: https://lemmy.ml/post/31718711

Always wanted to selfhost your Fediverse instance but were always worried about system administration trauma?

Do you ever have to run around your flat, picking up all the leftover parentheses from yesterday’s party with your hosting coop coworkers?

Then you are probably the right person, check out this post about fearless Bonfire hosting on a Guix System. You’ll learn that taking care of a community is much more manageable when you let computer do the boring work for you.

Set up HTTPS, automatic backups, automatic nightly upgrades and join the awesome Bonfire community without a single worry on losing data from your instance.

  • unhrpetby@sh.itjust.worksEnglish
    2·
    1 day ago

    There was this recent attack to XZ utils, which shows that more attention is needed on the code being merged and compiled.

    XZ was made possible largely because there was unaudited binary data. One part as test data in the repo, and the other part within the pre-built releases. Bootstrapping everything from source would have required that these binaries had an auditable source, thus allowing public eyes to review the code and likely stopping the attack. Granted, reproducibility almost certainly would have too, unless the malware wasn’t directly present in the code.

    Pulled from here:

    Every unauditable binary also leaves us vulnerable to compiler backdoors as described by Ken Thompson in the 1984 paper Reflections on Trusting Trust and beautifully explained by Carl Dong in his Bitcoin Build System Security talk.

    It is therefore equally important that we continue towards our final goal: A Full Source bootstrap; removing all unauditable binary seeds.

    Sure you might have the code that was input into GCC to create the binary, and sure the code can be absolutely safe, and you can even compile it yourself to see that you arrive at the same bit-for-bit binary as the official release binary. But was GCC safe? Did some other compilation dependency infect the compiled binary? Bootstrapping from an auditable seed can answer this question.